Skip to main content

Vulnerability Disclosure Policy

Introduction

This document serves as Chintai's Vulnerability Disclosure Policy (referred to hereinafter as the "Policy"). It outlines our commitment to providing exceptional service to our customers and reflects our willingness to collaborate with the community to ensure the highest standards of security.

Scope

This Policy applies to all subdomains of chintai.io.

Responsible Disclosure Guideline

To ensure the security of Chintai products and the safety of our customers, reporters must adhere to the following guidelines when submitting details on potential security vulnerabilities:

  • Share the security issues confidentially with Chintai.

  • Include detailed information to the report for proper evaluation.

  • Do not publish any information without Chintai's explicit guidance and consent.

  • Do not access or modify user data; only interact with your own or test accounts during research.

  • Notify Chintai immediately if you encounter any end-user data. Do not view, alter, save, store, transfer, or otherwise access the data, and delete any local copies immediately.

  • Act in good faith to avoid any violation of the law, destruction of data or interruption of service.

  • Ensure compliance with all applicable laws.

We will not negotiate under duress or threat. We will not negotiate under threat of withholding the vulnerability or under threat of public disclosure of the vulnerability or exposed data.

Reporting a Security Vulnerability

If you believe you've discovered a potential security vulnerability in any subdomain of chintai.io, we strongly encourage you to report it according to this Policy to the following email address: security@chintai.io and provide the following details:

  • Technical description of the issue.

  • Detailed steps to reproduce and/or sample code used to exploit the vulnerability.

  • Contact information and optional name for acknowledgments.

Excluded Submission Types

The following issues are outside the scope of this Policy:

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

  • Findings generated by automated tools without detailed explanation on what parts are vulnerable and how the vulnerability might be exploited.

Vulnerability Disclosure Process 

Upon receiving a report, our security team will evaluate its validity and impact, providing feedback to the reporter.

We will collaborate with the reporting party to validate vulnerabilities, gather additional information, and provide regular updates. All information is handled confidentially, with limited internal distribution. Reporters are also expected to maintain confidentiality until remediation is complete.

Once vulnerability is confirmed and addressed, Chintai will inform the reporter of the resolution and may seek further validation. We share results, including acceptance, severity, timelines, resolution, and disclosure plans, and address any concerns in good faith.

Rewards

Chintai offers rewards for reporting vulnerabilities, with amounts varying based on the impact and quality of the report. The bounty ranges are as follows: 100 USD for low impact, 1,000 USD for medium, 3,000 USD for high, and 5,000 USD for critical vulnerabilities. These amounts are indicative and subject to change based on our discretion.

Compliance with program rules is mandatory for eligibility, and only the first reporter of an issue qualifies.

Chintai does not publicly acknowledge or offer rewards to its employees, contractors, subsidiaries, service providers, or related parties for the discovery of vulnerabilities.

Severity Determination

Vulnerabilities are rated by their impact to the confidentiality, integrity and availability of Chintai platform.

Critical

Critical vulnerabilities are those that result in the bulk compromise of user data or the ability to bypass authentication and gain access to targeted accounts, or negatively impact availability of platform.

Examples of critical vulnerabilities include:

  • Remote command execution.

  • Injection.

  • Authentication bypass resulting in access to a user's account and private data.

  • Access to production secrets such as access tokens that can be used to copy sensitive data.

  • Elevating Chintai platform privileges to admin.

High

High-rated vulnerabilities are those that allow impersonating other users or bypassing authorisation.

Examples of high vulnerabilities include:

  • Cross-site scripting (XSS).

  • Bypassing authorization.

  • CSRF or similar attacks provided they result in access to another user's account or data.

  • Bypassing two-factor authentication (2FA) in the Chintai platform.

  • Performing limited admin actions without authorization.

Medium

Medium-risk vulnerabilities allow an attacker to conduct actions on behalf of another user without their permission, or access less-sensitive information.

Examples of medium vulnerabilities include:

  • CSRF or similar attacks to make a user take an action they didn't intend.

  • Disclosing user transactions and other confidential data.

  • Open redirects.

Low

Low-risk vulnerabilities are typically vulnerabilities that allow a user to do something they shouldn't, but with no serious security implications.

Examples of low vulnerabilities include:

  • Self-XSS without evidence it can be chained to be non-self XSS.

  • Tab-napping.

  • Password brute-forcing that circumvents rate limiting.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.